Understanding CISA’s Binding Operational Directive (BOD) 23-01
CISA Binding Operational Directive (BOD) 23-01 Improving Asset Visibility and Vulnerability Detection on Federal Networks, announced on October 3rd, states that “continuous and comprehensive asset visibility is a basic pre-condition for any organization to effectively manage cybersecurity risk.” Due to the rise in attack campaigns such as SolarWinds, BOD 23-01 specifies the need for IT asset discovery and vulnerability enumeration with the intention of reducing organizations cyber risk.
IT Asset Discovery is an activity through which an organization identifies what network addressable IP-assets reside on their networks and identifies the associated IP addresses (hosts). Scope mandates the identification of both IPv4 and IPv6 assets.
Vulnerability Enumeration identifies and reports suspected vulnerabilities on the discovered assets with context on host attributes (e.g., operating systems, applications, open ports, etc.) and matching them with information on known vulnerabilities.
The goal of CISA BOD 23-01 is for agencies to comprehensively achieve the following outcomes:
- Maintain an up-to-date inventory of networked assets as defined in the scope of this directive.
- Identify software vulnerabilities, using privileged or client-based means where technically feasible.
- Track how often the agency enumerates its assets, what coverage of its assets it achieves, and how current its vulnerability signatures are.
- Provide IT asset discovery, and vulnerability information to CISA’s CDM Federal Dashboard.
Moreover, federal civilian agencies are not the only organizations that should heed the latest BOD 23-01 announcement. External attack surface management is already the number one investment priority for large enterprises in 2022. And with good reason. Sprawling collections of known and unknown internet-facing assets are universal risk vectors, expanding organizations digital footprint and exposure.
Implementing Controls to Meet BOD 23-01 Objectives
Organizations, in response to this directive, need to consider how they can obtain an accurate and continuous view of their externally facing assets. Indeed, they should leverage this information to feed and up level their vulnerability management program.
Attack Surface Management (ASM) discovers externally exposed IPv4 and IPv6 assets through continuous and automated monitoring designed to uncover shadow IT and integrate with your security ecosystem.
A combination of people, process, and technology, ASM involves IT asset discovery, prioritizing, and fixing attack vectors based on the pathways a real attacker would take to target an organization. The adoption of ASM technology is designed to reduce organizations cyber risk.
Don’t Delay ASM Adoption
CISA’s BOD 23-01 directive comes at a critical time. In the past 12 months, 7 in 10 organizations have fallen victim to a cyberattack originating from an unknown or unmanaged asset.
“The government is now codifying the fact that attack surface management is extremely important. The business world has already been engaging in this area. Most CISOs recognize that attack surface management is an area where companies can start to incorporate offensive security into their overall cyber strategy.” – Dan MacDonnell, Chief Strategy Officer, Randori
According to a SaaS Management Platform BetterCloud report, the average number of SaaS apps running on corporate networks could be more than three times what IT departments think. Another study finds that over 90% of the cloud assets used in a typical enterprise environment are unknown to IT teams.
Common sources of unknown network-connected assets include:
- Shadow IT cloud instances and workloads.
- Devices connected to employee home networks.
- IoT devices.
- Disconnected or dormant accounts.
- Microsites created by marketing teams.
- Applications used by third-party contractors.
The adoption of ASM gives organizations a powerful tool to gain a comprehensive understanding of their attack surface. With ASM’s ability to deliver powerful prioritization insights and perform early IT asset discovery, administrators will be able to get on target quicker and remediate the vulnerabilities that matter most.
Leveling Up Vulnerability Management
Exposure management extends beyond vulnerabilities, patching every known vulnerability is an operationally infeasible goal. The average mean time to patch (MTTP) is between 60 and 120 days, leaving a large window for adversarial exploitation. To move to the offensive, organizations should consider how to feed prioritization algorithms into their existing vulnerability management program to get on target faster.
“Finding and bringing unknown assets under management is already a massive win for organizations, but the real value of ASM is achieved when the data is integrated across the IT and security organizations.” – Forrester, Find And Cover Your Assets With Attack Surface Management
Leveraging adversarial insight for prioritization of vulnerabilities will result in a more tightly managed attack surface, improving overall cyber resiliency.
It Pays to Be Offensive In Security
Randori offers a Unified Offensive Security Platform is designed to bring clarity to your cyber risk through the convergence of external attack surface management and continuous and automated red teaming.
Randori’s platform helps organizations answer the critical questions of:“What does my organization look like from an attacker’s point of view, and how should it find and prioritize the issues attackers will see first?” and “What would happen if an attacker carried out a campaign against my organization’s infrastructure, how would its defenses cope and how would processes perform?”.
Randori Recon is an external attack surface management solution designed to perform IT asset discovery of your IPv4 and IPv6 assets through a high fidelity discovery approach. Starting with what is definitively you, Randori Recon attributes assets to your organization. Once identified, these assets provide actionable insights through adversarial context to get your organization on target faster. Additionally, through low friction operations, Randori offers out-of-the-box bidirectional integrations into your existing security stack, such as Tenable.io and Qualys vulnerability management tools to level up your vulnerability management program.
Operate confidently with Randori.
